Registry

Nice one. Liked it

Need some nudges… I’ve managed to find the /b***/b***/l***** page as well as the d**** version api page. Have read the docs and understand that I’m supposed to pull images. However I’m stuck at both sides without authentication creds. Am I supposed to be bruteforcing or am I simply looking in the wrong place?

Type your comment> @hackerB31 said:

Need some nudges… I’ve managed to find the /b***/b***/l***** page as well as the d**** version api page. Have read the docs and understand that I’m supposed to pull images. However I’m stuck at both sides without authentication creds. Am I supposed to be bruteforcing or am I simply looking in the wrong place?

Have you tried any classic username/password combinations? I have maybe a few logins I try on every page I come across (as well as googling for the application’s default creds).

If you try that and are still stuck, maybe reset the box (people can be jerks). Bruteforcing should be avoided.

Currently stuck at bt user. From the hints provided here, I think I’m supposed to su to w-d*** and exploit r***c somehow? I’ve even gone through the php files but still can’t find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><

I got the .crt file. Can someone give me a hint what to do next?

Go back to initial enumeration. You need to pass through that gate you could not pass at first. Look closely at file permissions, you might need to get other users permissions in order to get root.

@drdsol92 said:
Currently stuck at bt user. From the hints provided here, I think I’m supposed to su to w-d*** and exploit r***c somehow? I’ve even gone through the php files but still can’t find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><

root@bolt:~#

■■■■. This box was a blast! My first hard box and the box I enjoyed the most until now.

Kudos to thek for creating this for us… Also kudos for all the people that brainstormed this puzzle with me: Rb1929, P3tj3v and Rolesa

Frustrating yet incredibly fun and fulfilling box. I embarrassingly way over-complicated the initial foothold. This box was a pleasure. Thanks @thek!

Thanks a lot @thek for this box. I had a lot of fun, really. I was familiar with the first technology used, but the whole root part was new and I felt a really nice sense of accomplishment.

If anyone is willing to give me a little help and wouldn’t mind messaging me, it would be greatly appreciated.

Allowing ssh/write to LHOST should never be encouraged. Very poor opsec. Even the flags were wrong. A new low.

Got user moving into root

Realy stuck with root :frowning:
tried anything with r****c, s**p is patched…
any advices?

Managed to get user! Kudos to @izzie for the nudge. Now really stuck on root however, after getting the s** b*** shell and b/b/ webapp login, unsure how to get a reverse shell for w**-d***

Also, is anyone else frequently getting 504 timeouts on the /b/b pages?

—edit—
Rooted! Thanks to @rholas for the tips and @thek for creating the box, much appreciated!

PM for Nuggets

Hack The Box

Comment deleted :s

still trying for root…

Rooted

root@bolt:~# id; hostname; whoami
uid=0(root) gid=0(root) groups=0(root)
bolt
root
root@bolt:~#

Thanks @rholas

Root and w**-d** user fucked my mind

Finally rooted!

User: was a walk in the park, just look around and be curious.

Root: Real challenge is here lol. Had to hop many hurdles in order to get the root flag.

P.M for hints friends :slight_smile:

I finally can go to sleep after getting the flag ??

Rooted (!) - what a journey. Some steps towards root were frustrating but in the end I really enjoyed this box, learned a lot.

PM for hints.